DSR Fachdienst OPA / policies

Note

This software is a proof of concept and is not intended for production use. It will not be maintained or receive updates. Concepts from this project will be used in gematik specifications to standardize Zero Trust in Telematics Infrastructure. Developers are encouraged to use the implementation ideas in their own software.

Note: opa and docker must be installed locally

Build OPA bundle

opa build -b src/bundle/ -o dsr-fachdienst-policy-bundle.tar.gz

Configure (generate mandatory keys)

./configure.sh

set your opa-user password in file nginx/.htpasswd overwrite public key (generated by configure.sh in step above) in section "bundle_sign_puk" of file opa/opa-config.yaml

OR: Build & Sign OPA bundle

opa build -b src/bundle/ -o dsr-fachdienst-policy-bundle.tar.gz --signing-key sign/bundle_sign_prk.pem --signing-alg ES256 --claims-file sign/claims.json

ops sign command to create .signatures.json

opa sign --signing-key sign/bundle_sign_prk.pem --signing-alg ES256 -b src/bundle/

Inspect the OPA bundle

opa inspect dsr-fachdienst-policy-bundle.tar.gz

Test

opa test -v src -f pretty --explain full

Test with Coverage

opa test -v src -f pretty --explain full --coverage --format=json

---

Build the dsr/opa-bundle-server container image (based on NGINX)

docker build -t dsr/opa-bundle-server .

Run dsr/opa-bundle-server

docker run -p 8787:80 dsr/opa-bundle-server

Verify the dsr/opa-bundle-server

curl --location 'http://localhost:8787/opa-bundle/dsr-fachdienst-policy-bundle.tar.gz' --header 'Authorization: Basic b3BhLXVzZXI6Tk9fU0VDUkVU' -o dsr-fachdienst-policy-bundle.tar.gz

---

Run dsr/opa-bundle-server and a OPA server instance (locally)

docker compose -f docker-compose-deployLocal-OPA.yml up